环境：11.2.0.3 ADG (db11g\db11gadg\db11gcas)

在自己先前克隆后的环境互相tnsping报错。

tnsping 本机ok，tnsping其他机器均报错：

(资料图片)

[oracle@db11g ~]$ tnsping jingyuTNS Ping Utility for Linux: Version 11.2.0.3.0 - Production on 13-MAY-2023 08:09:11Copyright (c) 1997, 2011, Oracle.  All rights reserved.Used parameter files:/u01/app/oracle/product/11.2.0/dbhome_1/network/admin/sqlnet.oraUsed TNSNAMES adapter to resolve the aliasAttempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.1.18)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = jingyu)))OK (0 msec)[oracle@db11g ~]$ tnsping jyadgTNS Ping Utility for Linux: Version 11.2.0.3.0 - Production on 13-MAY-2023 08:09:14Copyright (c) 1997, 2011, Oracle.  All rights reserved.Used parameter files:/u01/app/oracle/product/11.2.0/dbhome_1/network/admin/sqlnet.oraUsed TNSNAMES adapter to resolve the aliasAttempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.1.19)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = jyadg)))TNS-12543: TNS:destination host unreachable[oracle@db11g ~]$ tnsping jycasTNS Ping Utility for Linux: Version 11.2.0.3.0 - Production on 13-MAY-2023 08:09:17Copyright (c) 1997, 2011, Oracle.  All rights reserved.Used parameter files:/u01/app/oracle/product/11.2.0/dbhome_1/network/admin/sqlnet.oraUsed TNSNAMES adapter to resolve the aliasAttempting to contact (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.1.20)(PORT = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = jycas)))TNS-12543: TNS:destination host unreachable

1.检查防火墙和SElinux状态2.确认克隆的网卡是否正常3.网络层面排查1521端口1.检查防火墙和SElinux状态第一反应就是防火墙或SELinux导致，初步检查发现：防火墙未运行，SELinux也禁用掉。

[root@db11g ~]# service iptables statusRedirecting to /bin/systemctl status iptables.serviceUnit iptables.service could not be found.[root@db11g ~]# getenforcePermissive[root@db11g ~]# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:#     enforcing - SELinux security policy is enforced.#     permissive - SELinux prints warnings instead of enforcing.#     disabled - No SELinux policy is loaded.SELINUX=disabled# SELINUXTYPE= can take one of three values:#     targeted - Targeted processes are protected,#     minimum - Modification of targeted policy. Only selected processes are protected. #     mls - Multi Level Security protection.SELINUXTYPE=targeted 

配置文件tnsnames.ora同步到3个环境，保持一致：

# tnsnames.ora Network Configuration File: /u01/app/oracle/product/11.2.0/dbhome_1/network/admin/tnsnames.ora# Generated by Oracle configuration tools.JINGYU =  (DESCRIPTION =    (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.1.18)(PORT = 1521))    (CONNECT_DATA =      (SERVER = DEDICATED)      (SERVICE_NAME = jingyu)    )  )JYADG =  (DESCRIPTION =    (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.1.19)(PORT = 1521))    (CONNECT_DATA =      (SERVER = DEDICATED)      (SERVICE_NAME = jyadg)    )  )JYCAS =  (DESCRIPTION =    (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.1.20)(PORT = 1521))    (CONNECT_DATA =      (SERVER = DEDICATED)      (SERVICE_NAME = jycas)    )  )

2.确认克隆的网卡是否正常

主要怀疑克隆是否MAC地址之类做了变化，期望是不一样的MAC，实际也是，在宿主机看arp记录的和目前的都匹配：

[oracle@bogon ~]$ arp -a|grep 1.18bogon (192.168.1.18) at 52:54:00:6f:92:54 [ether] on br0[oracle@bogon ~]$ arp -a|grep 1.19localhost (192.168.1.19) at 52:54:00:d0:49:1b [ether] on br0[oracle@bogon ~]$ arp -a|grep 1.20localhost (192.168.1.20) at 52:54:00:71:f1:9a [ether] on br0

可现在就是网络IP可以ping通，但是tnsping说啥不通：

[oracle@bogon ~]$ ping 192.168.1.18PING 192.168.1.18 (192.168.1.18) 56(84) bytes of data.64 bytes from 192.168.1.18: icmp_seq=1 ttl=64 time=0.525 ms64 bytes from 192.168.1.18: icmp_seq=2 ttl=64 time=0.312 ms^C--- 192.168.1.18 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1024msrtt min/avg/max/mdev = 0.312/0.418/0.525/0.108 ms[oracle@bogon ~]$ tnsping 192.168.1.18TNS Ping Utility for Linux: Version 19.0.0.0.0 - Production on 13-MAY-2023 08:39:50Copyright (c) 1997, 2022, Oracle.  All rights reserved.Used parameter files:/u01/app/oracle/product/19.3.0/db_1/network/admin/sqlnet.oraUsed HOSTNAME adapter to resolve the aliasAttempting to contact (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=))(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.18)(PORT=1521)))TNS-12543: TNS:destination host unreachable

3.网络层面排查1521端口

以db11g环境为例说明：

[oracle@db11g ~]$ netstat -ano|grep 1521tcp6       0      0 :::1521                 :::*                    LISTEN      off (0.00/0/0)unix  2      [ ACC ]     STREAM     LISTENING     26303    /var/tmp/.oracle/sEXTPROC1521

使用telnet工具定位：

[root@bogon ~]# telnet 192.168.1.18 1521Trying 192.168.1.18...telnet: connect to address 192.168.1.18: No route to host

而正常的环境（其他可以tnsping的正常虚机）应该类似这样：

[root@bogon ~]# telnet 192.168.1.11 1521Trying 192.168.1.11...Connected to 192.168.1.11.Escape character is "^]".

看来的确是网络问题了。说没有路由可达主机，直接traceroute对比看下有何区别：

# 正常的虚机：[root@bogon ~]# traceroute 192.168.1.11traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 60 byte packets 1  bogon (192.168.1.11)  0.556 ms  0.507 ms  0.486 ms# 不正常的虚机：[root@bogon ~]# traceroute 192.168.1.18traceroute to 192.168.1.18 (192.168.1.18), 30 hops max, 60 byte packets 1  bogon (192.168.1.18)  0.516 ms !X  0.450 ms !X  0.404 ms !X[root@bogon ~]# traceroute 192.168.1.19traceroute to 192.168.1.19 (192.168.1.19), 30 hops max, 60 byte packets 1  bogon (192.168.1.19)  0.546 ms !X  0.491 ms !X  0.455 ms !X[root@bogon ~]# traceroute 192.168.1.20traceroute to 192.168.1.20 (192.168.1.20), 30 hops max, 60 byte packets 1  localhost (192.168.1.20)  0.730 ms !X  0.680 ms !X  0.648 ms !X

又回到防火墙。。之前检查命令搞错了，来吧，赶紧正常关闭防火墙：

[root@db11g ~]# systemctl status firewalld● firewalld.service - firewalld - dynamic firewall daemon   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)   Active: active (running) since Sat 2023-05-13 08:38:13 CST; 23min ago     Docs: man:firewalld(1) Main PID: 850 (firewalld)   CGroup: /system.slice/firewalld.service           └─850 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopidMay 13 08:38:12 db11g systemd[1]: Starting firewalld - dynamic firewall dae.....May 13 08:38:13 db11g systemd[1]: Started firewalld - dynamic firewall daemon.May 13 08:38:13 db11g firewalld[850]: WARNING: AllowZoneDrifting is enabled...w.Hint: Some lines were ellipsized, use -l to show in full.[root@db11g ~]# systemctl stop firewalld

一切恢复正常：

[root@bogon ~]# traceroute 192.168.1.18traceroute to 192.168.1.18 (192.168.1.18), 30 hops max, 60 byte packets 1  bogon (192.168.1.18)  0.559 ms  0.497 ms  0.445 ms[root@bogon ~]# telnet 192.168.1.18 1521Trying 192.168.1.18...Connected to 192.168.1.18.Escape character is "^]".[oracle@bogon ~]$ tnsping 192.168.1.18TNS Ping Utility for Linux: Version 19.0.0.0.0 - Production on 13-MAY-2023 08:59:56Copyright (c) 1997, 2022, Oracle.  All rights reserved.Used parameter files:/u01/app/oracle/product/19.3.0/db_1/network/admin/sqlnet.oraUsed HOSTNAME adapter to resolve the aliasAttempting to contact (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=))(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.1.18)(PORT=1521)))OK (0 msec)

克隆的环境全部都关闭下防火墙，并禁用：

systemctl status firewalldsystemctl stop firewalldsystemctl disable firewalld

一切正常！

这个根因找到后着实有点丢人了，折腾半天居然就是最开始怀疑的防火墙问题，但却因为命令搞错误判了。记得早些时候这个Linux6查看防火墙的命令在Linux7中执行，重定向是可以变成正确命令的。再就是应该多查下，如果是类似下面的输出才是没有防火墙运行：

[root@db11g ~]# /sbin/iptables -LChain INPUT (policy ACCEPT)target     prot opt source               destination         Chain FORWARD (policy ACCEPT)target     prot opt source               destination         Chain OUTPUT (policy ACCEPT)target     prot opt source               destination         

不过troubleshooting的有意思之处也就在于此，你总不能每次都可以快速解决问题，哪怕是相对简单的问题，也可能因为一个疏忽而走不少弯路，但这个过程是有意思的！